Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

TOP OF THE NEWS

During a panel discussion at the RSA conference, 9-11 Commission Member Jamie Gorelick says that industry led Information Sharing and Analysis Centers (ISACs) are not serving their purpose and should be discontinued or changed. Gorelick maintained the ISACs have neither the funding nor the organization to effectively provide the government with information about threats to the country's critical infrastructure, thereby posing a threat to national security. Gorelick said that having the government fund the ISACs and provide communication systems and a single point of contact would help address the problem; presently the industry-specific ISACs are funded by members. Information Technology ISAC president Guy Copeland said his group is stronger precisely because it has never received government funding. -http://www.infoworld.com/article/05/02/18/HNsecurity911_1.html[Editor's Note (Tan): It takes two to Tango. To be successful in information sharing, all parties must contribute and participate. The day when industry voluntarily shares information with Government will be the day that marks the success of information sharing. ]

Singapore's Infocomm Security Masterplan (22 February 2005)

Singapore's Infocomm Security Masterplan will focus on increasing capabilities to address cyber threats and creating a cyber attack early warning system. Initiatives include the enhancement of security training and certification programs, cyber security public awareness campaigns and establishing a National Cyber-Threat Monitoring Center. Plans also include the introduction of a Common Criteria Certification Scheme. The Masterplan has a budget of S$38 million (US$23.4 million) for a three year period. -http://asia.cnet.com/news/security/printfriendly.htm?AT=39218719-39037064t-39000005c[Editor's Note (Shpantzer): Common Criteria again? Spend the money elsewhere. There are plenty of commercial products available with certification, and some of these certs are useless (ex: Windows 2000 is EAL4+, higher than any other commercial OS!) in the context of a real production environment. Please see this link for one point of view on caveats for Common Criteria: -http://eros.cs.jhu.edu/~shap/NT-EAL4.html]

Bank of America has revealed that it has lost backup tapes that contain personal data, including Social Security numbers and account information, of 1.2 million federal employees. Band of America Spokeswoman Eloise Hale said there is no evidence the tapes or the data they contain have been used, and that the tapes are presumed lost. Senator Charles Schumer (D-NY) says he was told it is likely the tapes were stolen from a commercial airliner by baggage handlers in December. Senator Susan Collins (R-Maine) is drafting a letter to the General Services Administration and Bank of America asking how federal employee personal data is going to be protected. -http://www.washingtonpost.com/ac2/wp-dyn/A54823-2005Feb25?language=printer (site requires free registration) -http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=35170

Accounting firm Paymaxx closed its on line site after becoming aware of vulnerabilities that put customer data at risk of exposure. Apparently online W-2 forms had been given sequential ID numbers which appeared in the links given to their owners, allowing users to alter the number and view others' forms. In addition, the PayMaxx database included a test record with a Social Security number and password consisting of all zeroes. The vulnerabilities affected data belonging to 25,000 people. -http://news.zdnet.com/2102-1009_22-5591029.html?tag=printthis-http://news.zdnet.com/2102-1009_22-5587859.html?tag=printthis[Editor's Note (Shpantzer): We reported on this back in 2002. For a tragicomic example of this 'hack' see -http://www.sans.org/newsletters/newsbites/vol4_44.php and look for the story with this headline: 28 October 2002 Reuters Charged with Hacking. (Northcutt): They didn't have time to do it right, but they have time to do it over; maybe. I bet the CEO of Paymaxx wishes his development team would have watched SANS First Wednesday Webcast - Control Security Risks in Software Design and Development Featuring: David Read Wednesday, March 02 at 1:00 PM EST (1800 UTC) -https://www.sans.org/webcasts/show.php?webcastid=90537]

THE REST OF THE WEEK'S NEWS

HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY

IG Report: IRS Secure Messaging Must be Used by All to be Effective (28 February 2005)

A report from the Treasury Department Inspector General of tax administration found that while the Internal Revenue Service has a Secure Messaging system which allows employees to securely share sensitive information through email, only 76% of IRS email mailboxes have been enrolled. The program is not effective unless both the sender and the recipient of the message are using the encryption service. The encryption program consumes both storage and financial resources; if the IRS decides it wants to keep the program, the IG report recommends making sure that 100% of employees who send sensitive data are enrolled. -http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=35174[Editor's Note (Grefer): If all email were encrypted, this would become a moot point. (Tan): It is essential to have a secure system to protect the taxpayers' financial data. IRS should gather feedback to understand why their employees choose not to use the secure system and then eliminate the problems that make it hard to use. ]

DHS Will Conduct Cyber Preparedness Exercise in November (22 February 2005)

The Department of Homeland Security has announced its intention to conduct an unclassified "cyber preparedness exercise" in November of this year. The exercise will be designed to allow government agencies to test their responses to cyber attacks on networks that support the country's critical infrastructure. -http://www.fcw.com/fcw/articles/2005/0221/web-cyber-02-22-05.asp

WORMS, ACTIVE EXPLOITS, VULNERABILITIES, AND PATCHES

SP2 Automatic Update Blocking Will Expire in April (28 February 2005)

April 12, 2005, marks the end of the grace period allowed by Microsoft for users to block XP SP2 from downloading via Automatic Update. After that date, users will have no choice, and SP2 will be automatically delivered to all Automatic Update customers with Windows XP or XP SP1. SP2 was initially distributed in August 2004; users were given a 120-day grace period, which was later extended to 240 days, to block the update from downloading onto their machines. -http://asia.cnet.com/news/software/printfriendly.htm?AT=39219480-39037051t-39000001c

Mozilla Releases First Firefox Update (24 February 2005)

Mozilla has released the first update to its Firefox 1.0 web browser, which was introduced in November, 2004. The update fixes flaws that could allow spoofing and phishing attacks and others that cause the browser to crash. Firefox 1.0.1 was released on February 24 and is expected to become available soon via Firefox's automatic update feature. None of the flaws addressed are highly critical, nor are there any known exploits for the flaws. -http://www.informationweek.com/story/showArticle.jhtml?articleID=60403364[Editor's Note (Northcutt): After the systems folks completed testing, the majority of SANS employees were directed to upgrade to Firefox version 1.0.1. I have seen two issues, the update reset the home page back to firefox and Internet Explorer is now the automatically launched browser when a link is clicked in applications like MS Word. Both are minor and I am sure there are simple workarounds, but those are the gotchas that could limit the perceived success of a rollout. ]

T-Mobile Warns of Voice Mail Box Vulnerability (24 February 2005)

T-Mobile has issued a warning about a vulnerability in a voice mail feature that could allow attackers armed with subscriber phone numbers to listen to and download voice mailbox contents and control voice mail functions. The attack could be carried out via a public pay phone. T-Mobile advises subscribers to use passwords for voice mail access. -http://news.zdnet.com/2102-1009_22-5589608.html?tag=printthis

Patch Available for Java Flaw in MacOS X (23 February 2005)

Apple released a patch for a critical Java vulnerability in its MacOS X on February 23. The flaw could allow an untrusted applet go obtain elevated privileges and "potentially execute arbitrary code." The flaw was first noted three months ago, leading some to question why it took Apple so long to address the critical vulnerability. -http://www.eweek.com/print_article2/0,2533,a=146456,00.asp

Cabir Phone Worm Migrates to US (18 February 2005)

Two cell phones on display in a California store have been infected with the Cabir virus, marking the first reported Cabir infections in the US. The phones were in the store's window, which could have allowed passersby to infect them, and some have speculated that from that vantage, the phones could have been infecting other passersby, though there have been no reports of additional infections. Cabir emerged in June of last year as a proof-of-concept worm, but has since become more destructive. -http://news.com.com/2102-7349_3-5582302.html?tag=st.util.print

Lawsuit Against ChoicePoint Alleges Fraud and Negligence (24/23 February 2005)

A California woman has filed a lawsuit against ChoicePoint which she hopes will gain class action status. Ellen Goldberg's suit alleges fraud and negligence on the part of the data brokerage company which has admitted selling personal information belonging to more than 140,000 people to scam artists. The identity thieves posed as legitimate businesses and opened 50 customer accounts which allowed them to buy the data. There have been at least 750 cases of identity theft associated with the ChoicePoint breach. The case could lead to standards for the way in which data brokerages handle the information they collect and regulations that would hold companies liable for "lax data protection." Legal experts are not confident that attempts to win financial compensation from ChoicePoint will be successful because in past cases, "courts have been unwilling to penalize companies when the victims are not the direct customers of the company." -http://www.wired.com/news/print/0,1294,66710,00.html-http://www.wired.com/news/print/0,1294,66685,00.html

ChoicePoint is making changes it hopes will protect the consumer data it holds from unauthorized access. First, the Georgia-based personal information vendor says it is checking the credentials of all existing clients to ensure their legitimacy. The company is also "masking or truncating sensitive personal identifier numbers." -http://www.computerworld.com/printthis/2005/0,4814,99945,00.html

Firefox Downloads Top 25 Million (28/22 February 2005)

As of Friday, February 18, the number of Firefox downloads exceeded 25 million, fewer than 100 days after the release of the open-source browser. Firefox now holds 4.8% of the browser market, compared to Microsoft Internet Explorer's 92.7%. The growth can be attributed at least in part to the security of the browser. Some have urged caution in making firefox a corporate default browser, for as it gains in market share and popularity, it will become an increasingly appealing target for attackers. While Firefox market share gains against Internet Explorer were 15% over the past five weeks, that figure is down from 34% in the first few weeks after the browser's release on November 9th and 22% in the five week period between December 3, 2004 and January 14, 2005. Mozilla set the goal that Firefox would have a 15% market share by the end of 2005. -http://www.newsfactor.com/story.xhtml?story_id=30609-http://www.cio-today.com/wrldwd/story.xhtml?story_title=Firefox-Growth--Market-Share-Slow&story_id=30757&category=wrldwd

Microsoft Will Reimburse Dutch Web Company for Inadvertently Blocked Portal (22 February 2005)

Microsoft will pay a Dutch web company EUR10,000 (US$13,185) because its Windows Anti-Spyware blocked one of the company's portals, Startpagina, a popular Dutch directory page. The result was that Internet users who wanted to have Startpagina as their home page were forced to use MSN.com as their home page instead. The flaw has been fixed in the most recent version of the Windows AntiSpyware. -http://www.theregister.co.uk/2005/02/22/microsoft_spyware_ilse/print.html===end=== NewsBites Editorial Board: Kathy Bradford, Roland Grefer, Stephen Northcutt, Alan Paller, John Pescatore, Marcus Ranum, Howard Schmidt, Bruce Schneier, Eugene Schultz, Gal Shpantzer, Koon Yaw Tan

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/